{"id":25862822,"url":"https://github.com/datachefhq/aws-data-landing-zone","last_synced_at":"2026-05-04T10:03:12.983Z","repository":{"id":265244541,"uuid":"775941215","full_name":"DataChefHQ/aws-data-landing-zone","owner":"DataChefHQ","description":"The Data Landing Zone is a CDK Construct designed to create a landing zone tailored for supporting and enabling AI, data-driven, data mesh, and cloud projects.","archived":false,"fork":false,"pushed_at":"2025-07-07T00:21:35.000Z","size":9609,"stargazers_count":18,"open_issues_count":26,"forks_count":2,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-07-07T01:30:25.368Z","etag":null,"topics":["ai","aws","cdk","data-mesh","landing-zone"],"latest_commit_sha":null,"homepage":"https://datalandingzone.com","language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/DataChefHQ.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.MD","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2024-03-22T10:59:12.000Z","updated_at":"2025-02-21T07:14:36.000Z","dependencies_parsed_at":"2024-12-31T01:19:18.740Z","dependency_job_id":"4be08f37-fc38-42e9-8891-a5cb11922381","html_url":"https://github.com/DataChefHQ/aws-data-landing-zone","commit_stats":null,"previous_names":["datachefhq/aws-data-landing-zone"],"tags_count":56,"template":false,"template_full_name":null,"purl":"pkg:github/DataChefHQ/aws-data-landing-zone","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/DataChefHQ%2Faws-data-landing-zone","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/DataChefHQ%2Faws-data-landing-zone/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/DataChefHQ%2Faws-data-landing-zone/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/DataChefHQ%2Faws-data-landing-zone/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/DataChefHQ","download_url":"https://codeload.github.com/DataChefHQ/aws-data-landing-zone/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/DataChefHQ%2Faws-data-landing-zone/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":264915991,"owners_count":23682957,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ai","aws","cdk","data-mesh","landing-zone"],"created_at":"2025-03-01T23:57:01.747Z","updated_at":"2026-05-04T10:03:12.962Z","avatar_url":"https://github.com/DataChefHQ.png","language":"TypeScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Data Landing Zone\n\n\u003c!-- TOC --\u003e\n* [Getting Started](#getting-started)\n * [Typescript](#typescript)\n * [Python](#python-example)\n* [Key Features](#key-features)\n* [Intended Audience](#intended-audience)\n* [Core Principles](#core-principles)\n* [Integrated AWS Services](#integrated-aws-services)\n* [How it works](#how-it-works)\n* [Sponsors](#sponsors)\n* [Contributing](#contributing)\n* [Docs](#docs)\n* [Roadmap](#roadmap)\n\u003c!-- TOC --\u003e\n\nThe **Data Landing Zone (DLZ)** is a CDK construct designed to accelerate AI and data-related projects. It provides an\nopinionated Landing Zone, laying the foundation for a multi-account AWS strategy, so you can focus on delivering data\nand AI solutions.\n\nThe DLZ can be deployed in existing AWS Organizations or used in greenfield projects. It supports setups ranging\nfrom small organizations with a few accounts to large enterprises with hundreds of accounts.\n\nSee the Documentation Website: https://datalandingzone.com/ for more information. \n\nThe CDK construct is available in both TypeScript and Python. Example GitHub repositories showing usage:\n- [TypeScript Example GitHub Repo](https://github.com/DataChefHQ/aws-data-landing-zone-example-typescript)\n- [Python Example GitHub Repo](https://github.com/DataChefHQ/aws-data-landing-zone-example-python)\n\n## Getting Started\n\n### Typescript\n\nInstall the [aws-data-landing-zone](https://www.npmjs.com/package/aws-data-landing-zone) CDK construct from NPM:\n\n```bash\nnpm install aws-data-landing-zone\n```\n\nUse the construct as a stack in your CDK application. Replace the `organizationId`, `ouId`, `ous`, `accountId`, and\n`regions` with your own values as per AWS Control Tower \u0026 AWS Organizations.\n\nThe example below shows a simple DLZ setup with two accounts, one for development and one for production, creating\ntwo non-overlapping VPCs in two regions in each account.\n\n```ts\nimport {App} from 'aws-cdk-lib';\nimport { DataLandingZone, Defaults } from 'aws-data-landing-zone';\n\nconst app = new App();\nconst dlz = new DataLandingZone(app, {\n ...\n regions: {\n global: Region.EU_WEST_1,\n regional: [Region.US_EAST_1],\n },\n budgets: [\n ...Defaults.budgets(100, 20, {\n slack: slackBudgetNotifications,\n emails: ['you@org.com'],\n }),\n ],\n denyServiceList: ['ecs:*'],\n // For full control over the deny-services baseline, use scpBaselineStatements\n // instead. Cannot be combined with denyServiceList. Mandatory-tags SCP is\n // always appended after these statements.\n // scpBaselineStatements: [\n // ScpDenyRootUserActions.statement(),\n // ScpDenyLeavingOrganization.statement(),\n // ],\n // SCP statements applied to every workload account of a given type, layered on\n // top of the org-wide baseline (deny-services + mandatory-tags SCP).\n // Merge order: baseline -\u003e account-type -\u003e per-account. Additive only.\n scpStatementsByAccountType: {\n development: [\n ScpDenyReservedCapacityPurchases.statement(),\n ScpDenySavingsPlanPurchases.statement(),\n ],\n production: [\n ScpDenyDisablingSecurityServices.statement(),\n ScpDenyRootUserActions.statement(),\n ScpDenyLeavingOrganization.statement(),\n ],\n },\n guardDuty: {\n autoEnableOrgMembers: 'NEW', // Can be ALL, NEW or NONE, Default is NONE\n },\n organization: {\n organizationId: 'o-0f5h921gk9',\n root: { accounts: { management: { accountId: '123456789012', }, }, },\n ous: {\n workloads: {\n ouId: 'ou-h2l0-gjr36ikn',\n accounts: [{\n name: 'development',\n accountId: '123456789012',\n type: DlzAccountType.DEVELOP,\n vpcs: [\n Defaults.vpcClassB3Private3Public(0, Region.EU_WEST_1), // CIDR 10.0.0./19\n Defaults.vpcClassB3Private3Public(1, Region.US_EAST_1), // CIDR 10.1.0./19\n ]\n },{\n name: 'production',\n accountId: '123456789012',\n type: DlzAccountType.PRODUCTION,\n guardDutyEnabled: true, // Only when we use NEW, this will enroll an old account into GuardDuty\n guardDutyFeatures: {\n eksAuditLogs: true,\n rdsLoginEvents: true,\n },\n // Per-account SCP statements layered on top of the org-wide baseline.\n // Additive only: cannot weaken the deny-services baseline or the mandatory-tags SCP.\n // Use the importable presets in `scp-presets/` for common controls,\n // or write your own iam.PolicyStatement instances.\n scpStatements: [\n ScpDenyDisablingSecurityServices.statement(),\n ScpDenyRootUserActions.statement(),\n ScpDenyActionsOutsideRegions.statement(['eu-west-1', 'us-east-1']),\n ],\n ...\n },\n\n ...AS MANY ACCOUNTS AS DESIRED...\n ]\n },\n },\n ...\n },\n network: {\n nats: [\n {\n name: \"development-eu-west-1-internet-access\",\n location: new NetworkAddress('development', Region.EU_WEST_1, 'default', 'public', 'public-1'),\n allowAccessFrom: [\n new NetworkAddress('development', Region.EU_WEST_1, 'default', 'private')\n ],\n type: {\n gateway: {\n eip: ... //Optional\n }\n }\n },\n ],\n bastionHosts: [\n {\n name: 'default',\n location: new NetworkAddress('development', Region.EU_WEST_1, 'default', 'private', 'private-1'),\n instanceType: InstanceType.of(InstanceClass.T3, InstanceSize.MICRO),\n }\n ]\n }\n});\n```\n\nContinue reading [Getting Started](https://datalandingzone.com/getting-started/) on the DLZ documentation site.\n\n\n### Python\n\nInstall the [aws-data-landing-zone](https://pypi.org/project/aws-data-landing-zone/#description) CDK construct from PyPi:\n\n```bash\npip install aws-data-landing-zone\n```\n\nUse the construct as a stack in your CDK application. Replace the `organizationId`, `ouId`, `ous`, `accountId`, and\n`regions` with your own values as per AWS Control Tower \u0026 AWS Organizations.\n\nThe example below shows a simple DLZ setup with two accounts, one for development and one for production, creating\ntwo non-overlapping VPCs in two regions in each account.\n\n```python\nimport aws_cdk as cdk\nimport aws_data_landing_zone as dlz\n\napp = cdk.App()\ndlz.DataLandingZone(app,\n ...\n regions=dlz.DlzRegions(\n global_=dlz.Region.EU_WEST_1,\n regional=[dlz.Region.US_EAST_1],\n ),\n guard_duty=dlz.DlzGuardDutyProps(\n auto_enable_org_members='NEW', # Can be ALL, NEW or NONE, Default is NONE\n ),\n budgets=[\n *dlz.Defaults.budgets(\n 100,\n 20,\n slack=slack_budget_notifications,\n emails=[\"you@org.com\"],\n ),\n ],\n deny_service_list=[\"ecs:*\"],\n # For full control over the deny-services baseline, use scp_baseline_statements\n # instead. Cannot be combined with deny_service_list. Mandatory-tags SCP is\n # always appended after these statements.\n # scp_baseline_statements=[\n # dlz.ScpDenyRootUserActions.statement(),\n # dlz.ScpDenyLeavingOrganization.statement(),\n # ],\n # SCP statements applied to every workload account of a given type, layered on\n # top of the org-wide baseline (deny-services + mandatory-tags SCP).\n # Merge order: baseline -\u003e account-type -\u003e per-account. Additive only.\n scp_statements_by_account_type=dlz.ScpStatementsByAccountType(\n development=[\n dlz.ScpDenyReservedCapacityPurchases.statement(),\n dlz.ScpDenySavingsPlanPurchases.statement(),\n ],\n production=[\n dlz.ScpDenyDisablingSecurityServices.statement(),\n dlz.ScpDenyRootUserActions.statement(),\n dlz.ScpDenyLeavingOrganization.statement(),\n ],\n ),\n organization=dlz.DLzOrganization(\n organization_id='o-0f5h921gk9',\n root=dlz.RootOptions(\n accounts=dlz.OrgRootAccounts(\n management=dlz.DLzManagementAccount(account_id='123456789012'),\n ),\n ),\n ous=dlz.OrgOus(\n workloads=dlz.OrgOuWorkloads(\n ou_id='ou-h2l0-gjr36ikn',\n accounts=[\n dlz.DLzAccount(\n name='development',\n account_id='123456789012',\n type=dlz.DlzAccountType.DEVELOP,\n vpcs: [\n dlz.Defaults.vpc_class_b3_private3_public(0, dlz.Region.EU_WEST_1), # CIDR 10.0.0./19\n dlz.Defaults.vpc_class_b3_private3_public(1, dlz.Region.US_EAST_1), # CIDR 10.1.0./19\n ]\n ),\n dlz.DLzAccount(\n name='production',\n account_id='123456789012',\n type=dlz.DlzAccountType.PRODUCTION,\n guard_duty_enabled: True, # Only when we use NEW, this will enroll an old account into GuardDuty\n guard_duty_features=dlz.DlzGuardDutyFeaturesProps(\n s3_data_events=False,\n eks_audit_logs=True,\n ebs_malware_protection=False,\n rds_login_events=False,\n lambda_network_logs=False,\n runtime_monitoring=False,\n ),\n # Per-account SCP statements layered on top of the org-wide baseline.\n # Additive only: cannot weaken the deny-services baseline or the mandatory-tags SCP.\n # Use the importable presets in `scp-presets/` for common controls,\n # or write your own iam.PolicyStatement instances.\n scp_statements=[\n dlz.ScpDenyDisablingSecurityServices.statement(),\n dlz.ScpDenyRootUserActions.statement(),\n dlz.ScpDenyActionsOutsideRegions.statement(['eu-west-1', 'us-east-1']),\n ],\n ),\n ],\n ),\n )\n ),\n network={\n \"nats\": [\n {\n \"name\": \"development-eu-west-1-internet-access\",\n \"location\": NetworkAddress(\n \"development\", str(Region.EU_WEST_1), \"default\", \"public\", \"public-1\",\n ),\n \"allow_access_from\": [\n NetworkAddress(\n \"development\", str(Region.EU_WEST_1), \"default\", \"private\"\n ),\n ],\n \"type\": {\n \"gateway\": {\n },\n },\n },\n ],\n \"bastion_hosts\": [\n {\n \"name\": \"default\",\n \"location\": NetworkAddress(\n \"development\", str(Region.EU_WEST_1), \"default\", \"public\", \"public-1\",\n ),\n \"instance_type\": ec2.InstanceType.of(\n ec2.InstanceClass.T3, ec2.InstanceSize.MICRO\n ),\n }\n ]\n }\n)\n```\n\nContinue reading [Getting Started](https://datalandingzone.com/getting-started/) on the DLZ documentation site.\n\n## Key Features\n\nNotable features of the DLZ include:\n\n- A CDK construct that can be used in TS and Python\n- Opinionated but configurable and extendable. Each stack and nested component can be extended if needed.\n- Leverages AWS Control Tower. Works with existing or new AWS Control Tower setups.\n- Suitable for greenfield projects or integration with existing AWS resources.\n- Deployable using any build systems like GitHub, GitLab, Jenkins, or locally.\n- Generates compliance reports, reporting the Control Tower Standards, SecurityHub controls, Config Rules and\n Service Control Policies enabled in each account.\n- Implements an internal wave- and stage-based deployment strategy for dependency management.\n- Includes helper scripts and Standard Operating Procedures (SOPs) for routine tasks.\n- Accompanied by comprehensive documentation.\n\n## Intended Audience\n\nThe DLZ handles the responsibilities and routine tasks typically managed by a Cloud Center of Excellence (CCoE) team.\nIt's easy enough for Data Engineers to use on their own, but flexible enough to be customized and fine-tuned by\nexperienced Cloud Engineers.\n\nIt's important to establish the following responsibilities to understand what is in and out of scope for the DLZ:\n- **In scope** - Any CCoE responsibilities and tasks, such as account management, security, networking, compliance, etc.\n- **Out of scope** - Application development, data engineering, and data science tasks.\n\n## Core Principles\n\nThe DLZ adheres to the following principles:\n\n1. Opinionated but configurable defaults to suit diverse needs.\n2. High levels of automation with manual SOPs where needed.\n3. Simplicity and ease of understanding over complexity\n4. Focused scope, limited to Landing Zone responsibilities.\n\n## Integrated AWS Services\n\n- **AWS Organizations:** Seamless multi-account management.\n- **AWS Budgets:** Track spending by tags with notifications via Slack, Teams, or email.\n- **Service Control Policies (SCPs):** Manage service deny lists.\n- **Tag Policies:** Enforce resource tagging for spend tracking and ownership.\n- **Control Tower Controls:** Opinionated defaults for preventive, detective, and proactive standards.\n- **AWS Security Hub** and **AWS Config:** Additional standards not covered by Control Tower. Notifications are\n delivered via Slack, Teams, or email\n- **Network Management:**\n - Non-overlapping **VPCs** across accounts.\n - **NAT Gateways** or instances for outbound private access.\n - **VPC Peering** for cross-account/region communication.\n - **Bastion Hosts** with **AWS SSM** for secure private resource access.\n - Simplified routing configurations.\n- **IAM Identity Center (SSO):**\n - User management with **AWS Identity Store** or external IDPs (e.g., Google, Active Directory).\n - Manage **Permission Sets**\n - Manage **Access Groups** to assign Users to Accounts with a given Permission Set\n- **Permission Boundaries:** Prevent privilege escalation for all IAM roles and users.\n- Configure **Lake Formation** for Data Lake management, including:\n - General settings, like admins, version and setting hybrid iam mode\n - Create **Tags** and specify their permissions for use within the same account and when sharing to other accounts.\n - Optionally, set **Tag Permissions** on Tags. This is usually out of scope for DLZ, but can be configured.\n\n## Service Control Policy presets\n\nDLZ ships a library of importable SCP presets under `src/constructs/organization-policies/scp-presets/` that you can attach to any account via `DLzAccount.scpStatements`, or to every account of a given type via `DataLandingZoneProps.scpStatementsByAccountType`. Each preset is one file, one class, one `static statement()` method.\n\nStatements are merged additively in the order: org-wide baseline → per-account-type → per-account. Deeper tiers can add deny rules but cannot weaken broader tiers.\n\nTypeScript:\n\n```ts\nscpStatementsByAccountType: {\n production: [\n ScpDenyDisablingSecurityServices.statement(),\n ScpDenyRootUserActions.statement(),\n ],\n development: [\n ScpDenyReservedCapacityPurchases.statement(),\n ],\n}\n```\n\nPython:\n\n```python\nscp_statements_by_account_type=dlz.ScpStatementsByAccountType(\n production=[\n dlz.ScpDenyDisablingSecurityServices.statement(),\n dlz.ScpDenyRootUserActions.statement(),\n ],\n development=[\n dlz.ScpDenyReservedCapacityPurchases.statement(),\n ],\n)\n```\n\n**Risk legend:**\n- 🟢 Low risk — typically safe to attach as-is.\n- 🟡 Medium risk — has a common gotcha; read the `@remarks` before attaching.\n- 🔴 High risk — easy to break legitimate workloads; attach only after deliberate review and a break-glass plan.\n\n**Foundation presets** (used internally by DLZ to build the org-wide baseline; importable for custom stacks):\n\n| Preset | What it denies | Risk |\n|---|---|---|\n| `ScpDenyServiceActions(serviceActions)` | A caller-supplied list of service actions across all resources. Backs `DataLandingZoneProps.denyServiceList` (and the default deny-services portion of `scpBaselineStatements`). | 🟢 |\n| `ScpDenyCfnStacksWithoutStandardTags(tags)` | `cloudformation:CreateStack` unless every required tag is present. Backs the mandatory-tags SCP. | 🟡 |\n| `ScpDenyIamWithoutPermissionsBoundary` | Creating/modifying IAM users or roles unless the `IamPolicyPermissionBoundaryPolicy` boundary is attached (4 statements). Pairs with `iamPolicyPermissionBoundary` prop. | 🟡 |\n\n**Opt-in CCoE presets** (attach to `DLzAccount.scpStatements` as needed):\n\n| Preset | What it denies | Risk |\n|---|---|---|\n| `ScpDenyLeavingOrganization` | `organizations:LeaveOrganization` from the member account. | 🟢 |\n| `ScpDenyRootCredentialsManagementInMemberAccounts` | Direct member-account root use, while permitting AWS-Organizations centralized root sessions (`aws:AssumedRoot`). | 🟢 |\n| `ScpDenyBedrockProvisionedThroughput` | Creation/modification of Bedrock provisioned model throughput (committed capacity). On-demand inference still works. | 🟢 |\n| `ScpDenyDedicatedInfraAndSubscriptions` | Outposts, Snowball clusters, Shield Advanced subscriptions, and ACM Private CA. | 🟢 |\n| `ScpDenyRootUserActions` | All actions performed by the account root user. | 🟡 |\n| `ScpDenySavingsPlanPurchases` | Creation of Savings Plans (1- or 3-year compute spend commitments). | 🟡 |\n| `ScpDenyReservedCapacityPurchases` | Reserved Instance and reserved-capacity purchases across EC2/RDS/DynamoDB/ElastiCache/Redshift/OpenSearch. | 🟡 |\n| `ScpDenyMarketplaceSubscriptions` | AWS Marketplace product subscriptions and agreement-approval acceptance. | 🟡 |\n| `ScpDenyDomainRegistrations` | Route 53 domain registrations, **renewals**, and transfers. | 🟡 |\n| `ScpDenyS3PublicAccessBypass` | Disabling or removing S3 Block Public Access at the account or bucket level. | 🟡 |\n| `ScpDenyDisablingSecurityServices` | Disabling/deleting CloudTrail, AWS Config, GuardDuty, Security Hub, or Macie. Only `AWSControlTowerExecution` is exempted. | 🟡 |\n| `ScpDenyS3ObjectLockAndRetention` | S3 (and S3 Object Lambda) object retention, legal-hold, governance bypass, and bucket Object Lock configuration. **Also blocks legitimate WORM/compliance use.** | 🔴 |\n| `ScpDenyGlacierVaultLock` | Initiating or completing a Glacier Vault Lock policy. **Also blocks compliance immutability.** | 🔴 |\n| `ScpDenyBackupVaultLock` | Enabling AWS Backup Vault Lock. **Also blocks ransomware-resistant backups.** | 🔴 |\n| `ScpDenyActionsOutsideRegions(allowedRegions)` | All regional API calls outside an explicit allow-list, exempting AWS global services. **Highest blast radius — a wrong region list denies every regional API call.** | 🔴 |\n\n\u003e **Note on the AWS 5120-byte SCP body limit:** combining all 15 presets at once exceeds the quota by a few hundred bytes. Pick a subset; `ScpDenyActionsOutsideRegions` alone is ~1500 bytes. The merge step (`ScpMerge.validate`) catches over-budget combinations at synth time.\n\n## How it works\n\nThe DLZ defines all accounts and resources in a single CDK construct that can be used in Typescript or Python CDK\nproject.\n\nThe DLZ deploys resources into specified AWS accounts. These accounts must be created manually (SOP provided) in the\nworkloads OU, and their Account IDs must be provided in the DLZ configuration. Each account is designated\nas either `development` or `production` to enable controlled, staged deployments, including the option for manual\napprovals in production environments.\n\nThe construct processes the provided configuration to create logical deployment layers for resources. Each layer\nconsists of a Global Wave and optionally one or more Regional Waves. This structure ensures that all `global` stacks\nfor the accounts are deployed before the `regional` stacks. Resources in the `global` stack are region-independent, such\nas IAM roles, whereas resources like VPCs can be deployed in both `global` and `regional` stacks if configured as such.\n\nContinue reading the [Introduction](https://datalandingzone.com/introduction/) on the Data Landing Zone documentation site.\n\n## Sponsors\nProudly sponsored and created by [DataChef](https://datachef.co.za/)\n\n## Contributing\nSee [CONTRIBUTING.md](CONTRIBUTING.md) for more info\n\n## Docs\nCan be found at https://datalandingzone.com/\n\n## Roadmap\nCan be found in the [here](https://github.com/orgs/DataChefHQ/projects/4)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdatachefhq%2Faws-data-landing-zone","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdatachefhq%2Faws-data-landing-zone","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdatachefhq%2Faws-data-landing-zone/lists"}